The '10 steps to cyber security' was originally published by the National Cyber Security Centre (NCSC) back in 2012 and now used by a significant number of larger organisations throughout the UK. The NCSC believe that understanding the cyber environment, and adopting an approach aligned with the 10 steps, is an effective means to help protect an organisation from cyber-attacks.
Like all departments here in Defra we face a range of cyber security challenges. So let’s look at how we are adopting these 10 steps to cyber security:
1. Risk management
It is important to assess the risks to the organisation. To achieve this, we have a risk management regime supported by the board and senior managers. Within security we have a specific Security Risk Lead whose brief it is to assess and record mitigating actions against all security risks.
2. Network security
This is a largely technical control. We have multiple systems in place to filter out unauthorised access to our systems and protect them from malicious content. Our SOC (Cyber Security Operations Centre) monitor these 24x7, report on outputs and advise the incident team, senior managers and the communications teams as necessary.
3. Malware prevention
This is actually both a technical and a human control. Defra has a layer of technical cyber security controls which include IDS, Firewalls, Web Filtering and endpoint protection. This is supported by relevant policies has established anti-malware defences across the organisation. However, we also recognise that individuals have a part to play as theoretically people can be the strongest point of any cyber defence. Through training and communications messages we seek to create a culture of staff awareness in all aspects of security. This effectively seeks to create a ‘human firewall’ to support our technical one.
4. User education and awareness
To support our security policies covering acceptable and secure use of your systems, we take a proactive approach to staff training. We have a mandated annual Civil Service Responsible for Information course supplemented by other optional free courses available to our people and advertised throughout the year. This is further supported by communications to maintain our people’s awareness of cyber risks. In the last 6 months we have produced and circulated over 39 security messages with over 50% covering cyber security.
5. Removable media controls
The uncontrolled use of removable media can increase the risk of malware being transferred to critical business systems. This is why in most cases the removable media access points on our laptops are disabled. With the move to cloud based collaboration systems such as Office365, our dependence on removable media has fallen dramatically. Where it cannot be avoided we follow the basic advice of limiting the types of media which can be used and the permitted circumstances of this use. There are procedures in place which require all media is scanned for malware on standalone systems before importing onto the corporate system.
6. Secure configuration
This means that we ensure the application of technical security patches and ensure the secure configuration of all our systems is maintained. In the main this is covered by the various teams of specialists, including our suppliers, who ensure that the patches are introduced quickly and effectively. We have a number of teams working together to build and maintain our systems as well as monitoring the performance of our external equipment suppliers.
7. Managing user privileges
We have sought to establish effective management processes and limit the number of privileged accounts. We limit user privileges to that which they need for their general work. We do this in a number of ways linked to the initial access account created for our employees when they first join the organisation and regular reviews.
Collaborative working agreements with our range of suppliers and our own internal SOC keep a constant eye on the activities of the 26,000 staff and external stakeholders. A monitoring strategy exists to supporting policies and monitor all systems and networks. Logs are analysed for unusual activity that could indicate an attack and reports are then produced for Incident and communication teams.
9. Incident management
We have an established incident response and disaster recovery capability within Defra security. Defra are familiar with Incident Management as we are also the lead agency in flooding or animal disease outbreaks. Our incident management plans are regularly tested and specialist training is provided where needed.
10. Home and mobile working
Given recent developments one of our main priorities in recent months was to develop and communicate a mobile working policy and train staff to adhere to it. Defra already had a proven track record of flexible working but Covid-19 put even the best plans to the test. This was a challenge as many factors such as VPN capacity/video calling etc needed to be expanded at scale in a comparatively short time. We were able to respond rapidly and implement a number of new processes to deal with the issues Covid posed whilst maintaining appropriate levels of security It is hopefully reassuring to note that the systems we have in place cover off the recommendations on the NCSC. Our security processes all support existing policies and are monitored and protected by Defra group security.
There are a number of security policies and procedures that apply across Defra. They are critical in providing assurance to our customers that Defra takes seriously the confidentiality, integrity and availability of data placed in its care. This also helps provide reassurance that we recognise it is of paramount importance that we maintain the security of our information and the systems or locations where our information may reside.
Cyber Aware is the UK government's advice on how to stay secure online during coronavirus. Many of us are spending more time online. Keep yourself and your family secure by following our advice.
Stay connected. Stay Cyber Aware.